[SECURITY] [DLA 4460-1] ceph security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4460-1] ceph security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Sun, 1 Feb 2026 04:11:37 +0530
Message-id: <[🔎] CAPP0f96+r5S5k8Z7_BiJGcOpPUdL6Heq3evjnaA+9PMUu7mdpw@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4460-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
February 01, 2026                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : ceph
Version        : 14.2.21-1+deb11u2
CVE ID         : CVE-2022-0670 CVE-2024-47866
Debian Bug     : 1016069 1120797

Ceph is a distributed object, block, and file storage platform.

CVE-2022-0670

    A flaw was found in Openstack manilla owning a Ceph File system
    "share", which enables the owner to read/write any manilla share
    or entire file system. The vulnerability is due to a bug in the
    "volumes" plugin in Ceph Manager. This allows an attacker to
    compromise confidentiality and integrity of a file system.

CVE-2024-47866

    Using the argument `x-amz-copy-source` to put an object and
    specifying an empty string as its content leads to the RGW daemon
    crashing, resulting in a DoS attack.

For Debian 11 bullseye, these problems have been fixed in version
14.2.21-1+deb11u2.

We recommend that you upgrade your ceph packages.

For the detailed security status of ceph please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/ceph

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAml+hRQACgkQgj6WdgbD
S5Z9exAA1WuahOrFn3sk5yIJGWr1dT4uoJDk0n60tEb1eJHNjOdXvdvV3NpZ86FV
tN2uaaSQhcMVVdsvvqcB2Kn+2OtZo06NPk/jWeN5R2EV9h4YiEnaBMwCSoaRfY/X
8JbA5JwnqgoL2sYBkU/bS36S7GnaIZODsGkEf58C4RTETCxHgjgJ5UhTuIwHPnLb
TmlAhVBIMZeuevEIgtfAYJR8CpYbdp8JjXNJ6QB/YDQcIeOad2oCoBkSoFSxnm+O
HA1JeKfRfxtnYH1UrjkQJCOm+NagkbCrc5vq9XgVnDArzB3zH73uEGNTsia7sRmb
4dhFtj+mdYaNrhbRoXntlsgSXG1eL549Ha5J8oCNQa/zsF+l3I0eIycWmH9imX6F
gCAU05YmM+fC7gaHnwhwENWChTk3OIqUOcsQCyT6UuCWCTs1OfWx97VTOvlGJ5sh
3ulzoweaTQZgWnqDUG/EoTcsHQA0hdTYHLPenr30IEC1/yWbegLaLnvnbHifm/7Y
O81F5XSruxpjlt7aePXaCLXIGDwVf9I9C+RASUtR4vfsM+xpyVvV+HTq1Ptg6lSy
zP3WU+WIaCkc28TYYrCMK5XaXLrTy1ukUpsQ9FSP8PGLx6z6VGyYJxSMZIUrey8B
EBB6M219WGoeAMtpD7HCch/PxkTlMh1oa+leVgSjMqjzkqY2dS8=
=iCFW
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4459-1] libmatio security update
Previous by thread: [SECURITY] [DLA 4459-1] libmatio security update
Index(es):
- Date
- Thread